system/machines/magenta/default.nix

144 lines
4.2 KiB
Nix

{ config, pkgs, ... }:
let
data = import ../../data.nix;
in
{
imports = [
./hardware-configuration.nix
./networking.nix # generated at runtime by nixos-infect
./mail-accounts.nix
../modules/common.nix
../modules/nix.nix
../modules/nginx.nix
];
boot.cleanTmpDir = true;
zramSwap.enable = true;
networking.hostName = "magenta";
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = data.publicKeys.users.jan;
security.acme = {
acceptTerms = true;
defaults.email = "dmitriy@pleshevski.ru";
};
# See: https://nixos-mailserver.readthedocs.io/en/latest/options.html
mailserver = {
enable = true;
fqdn = "mail.pleshevski.ru";
domains = [ "pleshevski.ru" ];
# Use Let's Encrypt certificates. Note that this needs to set up a stripped
# down nginx and opens port 80.
certificateScheme = 3;
hierarchySeparator = "/";
};
services.postgresql = {
enable = true;
package = pkgs.postgresql_14;
};
programs.gnupg.agent.enable = true;
services.gitea = {
enable = true;
httpPort = 9901;
domain = "nix-git.pleshevski.ru";
rootUrl = "https://nix-git.pleshevski.ru";
appName = "Pleshevskiy Git Repositories";
mailerPasswordFile = config.age.secrets.gitea-mailserver-passfile.path;
database = {
type = "postgres";
host = "/run/postgresql";
port = config.services.postgresql.port;
};
lfs.enable = true;
settings = {
log.LEVEL = "Error";
metrics.ENABLED = true;
database.CHARSET = "utf8";
server.DISABLE_ROUTER_LOG = true;
service = {
ALLOW_ONLY_EXTERNAL_REGISTRATION = false;
DEFAULT_KEEP_EMAIL_PRIVATE = false;
DEFAULT_ALLOW_CREATE_ORGANIZATION = true;
DEFAULT_ENABLE_TIMETRACKING = true;
DEFAULT_ENABLE_DEPENDENCIES = false;
DISABLE_REGISTRATION = true;
ENABLE_NOTIFY_MAIL = false;
ENABLE_CAPTCHA = false;
ENABLE_TIMETRACKING = false;
REQUIRE_SIGNIN_VIEW = false;
REGISTER_EMAIL_CONFIRM = false;
NO_REPLY_ADDRESS = "noreply.pleshevski.ru";
};
repository = {
DISABLE_MIGRATIONS = false;
DISABLE_HTTP_GIT = false;
DISABLE_STARS = true;
DEFAULT_BRANCH = "main";
DEFAULT_CLOSE_ISSUES_VIA_COMMITS_IN_ANY_BRANCH = true;
};
"repository.signing" = {
SIGNING_KEY = "default";
DEFAULT_TRUST_MODEL = "collaboratorcommiter";
MERGES = "pubkey,basesigned,commitssigned";
};
"repository.local" = {
LOCAL_COPY_PATH = "${config.services.gitea.stateDir}/tmp/local-repo";
};
"repository.upload" = {
TEMP_PATH = "${config.services.gitea.stateDir}/uploads";
ALLOWED_TYPES = "image/*";
};
"repository.pull-request" = {
WORK_IN_PROGRESS_PREFIXES = "Draft:,[Draft]:,WIP:,[WIP]:";
};
indexer = {
ISSUE_INDEXER_PATH = "${config.services.gitea.stateDir}/indexers/issues.bleve";
};
sessions = {
PROVIDER = "file";
PROVIDER_CONFIG = "${config.services.gitea.stateDir}/sessions";
};
picture = {
AVATAR_UPLOAD_PATH = "${config.services.gitea.stateDir}/avatars";
REPOSITORY_AVATAR_UPLOAD_PATH = "${config.services.gitea.stateDir}/repo-avatars";
DISABLE_GRAVATAR = false;
ENABLE_FEDERATED_AVATAR = true;
};
attachment = {
PATH = "${config.services.gitea.stateDir}/attachments";
};
mailer = {
ENABLED = true;
MAILER_TYPE = "smtp";
FROM = "\"${config.services.gitea.appName}\" <no-reply@pleshevski.ru>";
USER = "dmitriy@pleshevski.ru";
HOST = "mail.pleshevski.ru:465";
};
openid = {
ENABLE_OPENID_SIGNIN = true;
ENABLE_OPENID_SIGNUP = false;
};
};
};
services.nginx.virtualHosts."nix-git.pleshevski.ru" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://localhost:${toString config.services.gitea.httpPort}/";
};
age.secrets.gitea-mailserver-passfile = {
file = ../../secrets/mailserver-users-jan-passfile.age;
owner = config.services.gitea.user;
group = "gitea";
};
}